Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
14-05-2024 13:28
General
-
Target
https://hosting.tempauto.ru/Adobe.rar
Malware Config
Signatures
-
Detect ZGRat V1 33 IoCs
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
ModiLoader Second Stage 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hosting.tempauto.ru/Adobe.rar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ace946f8,0x7ff8ace94708,0x7ff8ace947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5184 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5677956901345935370,3328233966009059957,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5288 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap28572:72:7zEvent46871⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Adobe.exe"C:\Users\Admin\Downloads\Adobe.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\Downloads\Adobe.exe C:\\Users\\Public\\Libraries\\Fusgwewd.PIF2⤵
-
C:\Users\Public\Libraries\dwewgsuF.pifC:\Users\Public\Libraries\dwewgsuF.pif2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
187B
MD513782a4f38ec953f8680ded952447946
SHA11b2bf0ab8616dfd4b36655abefeecd114647d9c5
SHA256900d5ad4a4b754b605d1d0e7bd621875d15898c774fd8037e78006fa01703a97
SHA5127a1258750c91263586fd3a8717a32c04be4e18594390179cc32b7426fe7f8c3d09721ba4aebf0fa9a360710541ad32a7d9b5ce12a13501b54a327b4d6380b081
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f2430146aad9de0d4ae0ac8c5c466a44
SHA132d81ea351353e7bb4ddd1f046dc722f75b85d3e
SHA25616026218f2849929f511e726e0b6ced0f9dfb2ef60f2657c0e8e38d9e0bb1293
SHA512b8a9e0a3f780b946bd4bfb0dfeb552762604c068b7410e1c0a12a2edc8ebcb0fb2ef84d924dbb6b1005b9751f8adaba5cc7729b9304caef1b4dab88a8f4a50a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57f35f896dea260eb57d808e64821c79f
SHA14412e0c484735fc3db5956b413754bf6d84f1f47
SHA2560be308204b5054d852a0156475f9038004c353a556a39f1adb170080c95e977e
SHA512ea3b01c2cfc475d9fe7898903c227882dcf6382e8b4ad331bdcac6f859e3c6a2a3d9ff319533b3c9b47b302c5940202b8762b2e557400676679fa212759b5738
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD556b1109c15cf413bbfe9415911c24866
SHA172e301b23eece466aa95833b357289112ae37aeb
SHA256ec6092c4e4d63a4056b2b3a2ae4b92aa38444edb321ff13a858e0ba7cd267ca2
SHA512de69297e5d4baccb642ff9e28b7a4ee4fea3243df7eda8bbb701a70394e3f0f3492b597e9145a54585a357706cc5ac90979d8da04b6f6f4787b94d1d9302320a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51f42bf355139398397164adbdc73da17
SHA1bf72dd8c152767a37bb3bd0541713fcfa8363c45
SHA256c2dc12aca07ce9c197f21a0dfe0592a690332e171ddae37d1850620708aa9150
SHA512b9386c635eb5d3e2f553bda89c60ebc1f771cba8f7a877ce844d89fb8dbbac51e3d82e85a27977748fc7e529f4dabeb97d5b5467d7bfdc88f1b72344f9144652
-
C:\Users\Admin\Downloads\Adobe.exeFilesize
1.4MB
MD532769244b3c9180aaeda9bdbc94e3c28
SHA1a76ee5e814514bcdce374b2a12adb69f216be63c
SHA256fe396a1237d49be994cea981a0634f8535736c67942d050b43dca2c38038de52
SHA5126cf72600a174d64eb1f3513dbeeb4c445c619a2352836705796e7f636082b9178d99d08e7c7e6ff8162617b41e9ffc0f609a00916f0fb2a7d91ab499d3717f43
-
C:\Users\Admin\Downloads\Adobe.rarFilesize
412KB
MD588592b17526e132988cee3ad37f0d852
SHA1c49c43010c7e9d812437eed3cb8a1ac21812d81c
SHA256cd5999b7894bd16871b5f43adf2d2dd9c12e67977e01566ac39f09abb0d04835
SHA5121fc43dfdc57dfc52926c7d02ee3c9efde294e72bd015a8fb343bacce8e94004823ac0f9e630c45a2ae58dec36a18e30ba69ccb6e68dc58490f2e7ca201d2cd26
-
C:\Users\Public\Libraries\dwewgsuF.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
\??\pipe\LOCAL\crashpad_1452_ATHRPOIPCBLUZPWHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4900-142-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-121-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-101-0x000000003DE10000-0x000000003DE6E000-memory.dmpFilesize
376KB
-
memory/4900-145-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-153-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-161-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-159-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-157-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-155-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-151-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-149-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-147-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-143-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-99-0x000000003DCD0000-0x000000003DD2E000-memory.dmpFilesize
376KB
-
memory/4900-137-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-135-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-133-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-132-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-129-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-125-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-123-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-100-0x0000000040620000-0x0000000040BC4000-memory.dmpFilesize
5.6MB
-
memory/4900-119-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-118-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-115-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-113-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-111-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-109-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-107-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-105-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-139-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-127-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-103-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-102-0x000000003DE10000-0x000000003DE67000-memory.dmpFilesize
348KB
-
memory/4900-1254-0x0000000040580000-0x00000000405E6000-memory.dmpFilesize
408KB
-
memory/4900-1257-0x0000000041BD0000-0x0000000041C20000-memory.dmpFilesize
320KB
-
memory/4900-1258-0x0000000041C20000-0x0000000041CBC000-memory.dmpFilesize
624KB
-
memory/4900-97-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4900-1261-0x0000000041E30000-0x0000000041EC2000-memory.dmpFilesize
584KB
-
memory/4900-1262-0x0000000042040000-0x000000004204A000-memory.dmpFilesize
40KB
-
memory/4900-94-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4920-86-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB